feat: bump identity_service_config to ga (#1997)

Co-authored-by: Andrew Peabody <andrewpeabody@google.com>

Author: DrFaust92

README.md

@@ -165,6 +165,7 @@ Then perform the following commands on the root folder:
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
+| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
@@ -259,6 +260,7 @@ Then perform the following commands on the root folder:
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
 | identity\_namespace | Workload Identity pool |
+| identity\_service\_enabled | Whether Identity Service is enabled |
 | instance\_group\_urls | List of GKE generated instance groups |
 | intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
 | location | Cluster location (region if regional cluster, zone if zonal cluster) |

autogen/main/cluster.tf.tmpl

@@ -216,6 +216,13 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "identity_service_config" {
+    for_each = var.enable_identity_service ? [var.enable_identity_service] : []
+    content {
+      enabled = identity_service_config.value
+    }
+  }
+
   enable_kubernetes_alpha     = var.enable_kubernetes_alpha
   enable_tpu                  = var.enable_tpu
   enable_intranode_visibility = var.enable_intranode_visibility
@@ -234,13 +241,6 @@ resource "google_container_cluster" "primary" {
       enabled = pod_security_policy_config.value
     }
   }
-
-  dynamic "identity_service_config" {
-    for_each = var.enable_identity_service ? [var.enable_identity_service] : []
-    content {
-      enabled = identity_service_config.value
-    }
-  }
   {% endif %}
   {% endif %}
 

autogen/main/main.tf.tmpl

@@ -163,12 +163,12 @@ locals {
   cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled=false }])[0].disabled
   cluster_output_vertical_pod_autoscaling_enabled   = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
   cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
+  cluster_output_identity_service_enabled           = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
 
 {% if beta_cluster %}
   # BETA features
   cluster_output_istio_disabled                   = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
   cluster_output_pod_security_policy_enabled      = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
-  cluster_output_identity_service_enabled         = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
   cluster_output_secret_manager_addon_enabled     = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
   # /BETA features
@@ -226,6 +226,7 @@ locals {
   }]
   confidential_node_config                 = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
+  cluster_identity_service_enabled         = local.cluster_output_identity_service_enabled
   {% if autopilot_cluster != true %}
   cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
     enable_certificates = var.enable_mesh_certificates
@@ -239,7 +240,6 @@ locals {
   cluster_telemetry_type_is_set            = var.cluster_telemetry_type != null
   {% endif %}
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
-  cluster_identity_service_enabled         = local.cluster_output_identity_service_enabled
   cluster_secret_manager_addon_enabled     = local.cluster_output_secret_manager_addon_enabled
 
   # /BETA features

autogen/main/outputs.tf.tmpl

@@ -224,17 +224,17 @@ output "pod_security_policy_enabled" {
   value       = local.cluster_pod_security_policy_enabled
 }
 
-output "identity_service_enabled" {
-  description = "Whether Identity Service is enabled"
-  value       = local.cluster_identity_service_enabled
-}
-
 output "secret_manager_addon_enabled" {
   description = "Whether Secret Manager add-on is enabled"
   value       = local.cluster_secret_manager_addon_enabled
 }
 {% endif %}
 
+output "identity_service_enabled" {
+  description = "Whether Identity Service is enabled"
+  value       = local.cluster_identity_service_enabled
+}
+
 output "intranode_visibility_enabled" {
   description = "Whether intra-node visibility is enabled"
   value       = local.cluster_intranode_visibility_enabled

autogen/main/variables.tf.tmpl

@@ -886,18 +886,20 @@ variable "sandbox_enabled" {
   default     = false
 }
 
-variable "enable_identity_service" {
+variable "enable_gcfs" {
   type        = bool
-  description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
+  description = "Enable image streaming on cluster level."
   default     = false
 }
+  {% endif %}
+{% endif %}
 
-variable "enable_gcfs" {
+{% if autopilot_cluster != true %}
+variable "enable_identity_service" {
   type        = bool
-  description = "Enable image streaming on cluster level."
+  description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
   default     = false
 }
-  {% endif %}
 {% endif %}
 {% if autopilot_cluster %}
 variable "allow_net_admin" {

cluster.tf

@@ -173,6 +173,13 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "identity_service_config" {
+    for_each = var.enable_identity_service ? [var.enable_identity_service] : []
+    content {
+      enabled = identity_service_config.value
+    }
+  }
+
   enable_kubernetes_alpha     = var.enable_kubernetes_alpha
   enable_tpu                  = var.enable_tpu
   enable_intranode_visibility = var.enable_intranode_visibility

main.tf

@@ -123,6 +123,7 @@ locals {
   cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled
   cluster_output_vertical_pod_autoscaling_enabled   = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
   cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
+  cluster_output_identity_service_enabled           = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
 
 
   master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
@@ -168,6 +169,7 @@ locals {
   }]
   confidential_node_config             = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
   cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
+  cluster_identity_service_enabled     = local.cluster_output_identity_service_enabled
   cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
     enable_certificates = var.enable_mesh_certificates
   }] : []

modules/beta-autopilot-private-cluster/main.tf

@@ -91,11 +91,11 @@ locals {
   cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled
   cluster_output_vertical_pod_autoscaling_enabled   = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
   cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
+  cluster_output_identity_service_enabled           = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
 
   # BETA features
   cluster_output_istio_disabled               = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
   cluster_output_pod_security_policy_enabled  = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
-  cluster_output_identity_service_enabled     = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
   cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
   # /BETA features
@@ -130,11 +130,11 @@ locals {
   }]
   confidential_node_config             = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
   cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
+  cluster_identity_service_enabled     = local.cluster_output_identity_service_enabled
 
   # BETA features
   cluster_istio_enabled                = !local.cluster_output_istio_disabled
   cluster_pod_security_policy_enabled  = local.cluster_output_pod_security_policy_enabled
-  cluster_identity_service_enabled     = local.cluster_output_identity_service_enabled
   cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
 
   # /BETA features

modules/beta-autopilot-private-cluster/outputs.tf

@@ -179,16 +179,16 @@ output "pod_security_policy_enabled" {
   value       = local.cluster_pod_security_policy_enabled
 }
 
-output "identity_service_enabled" {
-  description = "Whether Identity Service is enabled"
-  value       = local.cluster_identity_service_enabled
-}
-
 output "secret_manager_addon_enabled" {
   description = "Whether Secret Manager add-on is enabled"
   value       = local.cluster_secret_manager_addon_enabled
 }
 
+output "identity_service_enabled" {
+  description = "Whether Identity Service is enabled"
+  value       = local.cluster_identity_service_enabled
+}
+
 output "intranode_visibility_enabled" {
   description = "Whether intra-node visibility is enabled"
   value       = local.cluster_intranode_visibility_enabled

modules/beta-autopilot-private-cluster/variables.tf

@@ -492,6 +492,7 @@ variable "enable_l4_ilb_subsetting" {
   description = "Enable L4 ILB Subsetting on the cluster"
   default     = false
 }
+
 variable "allow_net_admin" {
   description = "(Optional) Enable NET_ADMIN for the cluster."
   type        = bool